Saturday, June 18, 2011

Introduction to Metasploit and Armitage


Today I had a great half-day training on Metasploit and Armitage organized by our local OWASP Austin chapter and hosted by Microsoft. What I learned today was so interesting that I can't resist to share it here.

Raphael Mudge - Designer of Armitage

Metasploit is an open source penetration testing framework. It contains a database of exploits, payloads and post modules. The goal of the training was to find an exploit on a remote machine, run a payload through this exploit and execute a post module (which is what you can do after taking control over the victim's machine). Of course, you can find more detail about it on wikipedia.

Metasploit is a command line tool. To make it easier (and funnier), Raphael Mudge designed Armitage, which is a user interface for Metasploit. Here is how it looks like:
Armitage - GUI for Metasploit

When a machine on the network is comprised, Armitage illustrates it as a monitor wrapped into thunder lights. Perfect for a hacker movie:D

Here are the materials we had for this training:
The youtube video below is the screen-cast of the exercises. I show how to setup the lab environment. Then I demonstrate how to use Armitage to find and use an exploit. The video ends with a demonstration of social engineering where the attacker takes full control over the victim's computer.


When I first started Armitage, it could not connect to the database. I had to kill all ruby processes and reconnect again.Once Armitage started, you may be asked to enter your IP address. If you dont you can always set it later by running the following command in the console; it will set a global variable.

setg LHOST 10.10.10.10

Here are some interesting resources for further reading:

8 comments:

IcebergDelphi said...

Hi perfect video, i'm new with this tool, but there is something i could not understand yet, example:
i'm runing Backtrack and Armitage in:192.162.1.1
so, if i did a scan, i found one Os windows victim with:192.168.1.2, then i have to choice my victim and run find attack, so my question are: 1.-With (find attack) armitage gonna find vulnerable holes?
2.-So when i gonna know what is the perfect exploit to attack the victim machine?
and 3.- i saw in you video, that you open a Internet browser with an IP, what does it means the IP?

Thanks, greetings from Chiapas,Mexico.

Matt Buchner said...

@IcebergDelphi
1. Yes, "Find Attacks" will try to find the specified vulnerability on the target, but there is no guarantee of success, unless you are using Metasploitable. With "Hail Mary", Armitage will try all known vulnerabilities.

2. If you find several exploitable vulnerabilities, read about them to understand which one gives you the higher level of control on the target and which one is the easiest to exploit.

3. The IP I am opening in the web browser at the end of the video is the IP of the server hosting the malicious Java applet. In this case, it is actually hosted by Armitage/Metasploit.

Have fun and be safe!
Matthias

xkazolx said...

i know i need postgres to create a connection for armitage but i don't know how to do it on windows..Can you tell me the settings you used in postgres ?

Matt Buchner said...

@xkazolx,
The Armitage installer provides everything you need. You don't need to install Postgres separately. Also, I used all the default settings. If you share more details about the error you are getting, I might be able to help you.

Anonymous said...

Thanksbut i found the problem, i have installed metasploit mini.Wheni changed to Mteasploit full verything works

Mathias said...

hey Matthias.

super cool tutorial!
A friend and i have been playing around with it now, and got stuff working.

But we are wondering why you puts the "J" in the path from the Java modul at the end?

And when we do that, it works, and without it i doesn't.

Also, when we are in, why can we use stuff like the "key logger" or any other moduls ?

Thanks.
Mathias.

Matt Buchner said...

@Mathias,
I put J in URIPATH just to put something. It could be anything. By default, the value is random.
Not all exploit give full control on the target, this is why you may not be able to use all the modules.

Qasdi said...

wow.. very interesting with virtual metasploit.. i will try it.. thanks bro. =) keep it up.